autoforme 1.7.0 → 1.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 83fda57cc1135158108ed30103403c23d0600ccf
-  data.tar.gz: 42e3f1e0bae263ea3e5babc767cb3492bf2f5efe
+SHA256:
+  metadata.gz: 6f9fb399d144c4bfc7eed6e2a4f7497cab7bc25b8409d555c4f67fb91bad9bb7
+  data.tar.gz: bffb9114ef162400c639abb1ee17b7eb42ced481294d152e2603711c01752274
 SHA512:
-  metadata.gz: 0d716b34aec6a9b8a7e85e6c3928a029240ff1959b3e94358cdbcd974164f34a6a68206d698977d5cdfedbf253b6973ae04713574693f20d18c6933647e7c47f
-  data.tar.gz: fc8efa80a2e498952c10c1052b9eccee17d20a5d488e7416537e3eae89b76f6505cddf3058be80580f139e959f5d3a9f82c2c8bbfb411b172f7783e704b5f0c0
+  metadata.gz: 15cd700c5edc91d860dcec0209dae57dd3db48ebe2bc6cf66f19b9d786d7a51b23f909ec80a0a2333af8d9c42c165690dd6710c26ebfadfbfa93c9d17618976b
+  data.tar.gz: 0c4a42c4e34e398209f98e85303558ef95447eb6a1e8f6351a182f214a1dab7b754f86aca8d81d35ba32d5890a09fa417a28c7e8212a2284df5d265c776533e8

data/CHANGELOG

@@ -1,3 +1,27 @@
+=== 1.10.0 (2021-08-27)
+
+* Do not consider read_only many_to_many associations to be editable (jeremyevans)
+
+* Ignore unique constraint violations when adding associated objects in mtm_update (jeremyevans)
+
+* Handle search fields that cannot be typecast correctly by returning no results (jeremyevans)
+
+=== 1.9.1 (2019-07-22)
+
+* [SECURITY] Escape object display name when displaying association links (adam12)
+
+=== 1.9.0 (2018-07-18)
+
+* Add support for using flash string keys in the Roda support, to work with Roda's sessions plugin (jeremyevans)
+
+* Show correct page title on error pages (jeremyevans)
+
+=== 1.8.0 (2018-06-11)
+
+* Add support for Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
+
+* Default to size of 10 for select multiple inputs (jeremyevans)
+
 === 1.7.0 (2017-10-27)
 
 * Respect Model#forme_namespace method for parameter names (adam12, jeremyevans) (#9)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2013-2017 Jeremy Evans
+Copyright (c) 2013-2021 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -22,8 +22,7 @@ flexible in terms of configuration.
 Demo Site :: http://autoforme-demo.jeremyevans.net
 RDoc :: http://autoforme.jeremyevans.net
 Source :: https://github.com/jeremyevans/autoforme
-IRC :: irc://irc.freenode.net/forme
-Google Group :: https://groups.google.com/forum/#!forum/ruby-forme
+Discussion Forum :: https://github.com/jeremyevans/autoforme/discussions
 Bug Tracker :: https://github.com/jeremyevans/autoforme/issues
 
 = Features
@@ -161,12 +160,13 @@ These options are related to displayed output:
 
 form_attributes :: Hash of attributes to use for any form tags
 form_options :: Hash of Forme::Form options to pass for any forms created
-class_display_name :: The string to use when referring to the model class
+class_display_name :: The string to use on pages when referring to the model class.
+                      This defaults to the full class name.
 display_name :: The string to use when referring to a model instance.  Can either be a symbol
                 representing an instance method call, or a Proc called with the model object,
                 the model object and type symbol, or the model object, type symbol, and request,
                 depending on the arity of the Proc.
-link_name :: The string to use in links for the class
+link_name :: The string to use in links for the class. This defaults to +class_display_name+.
 edit_html :: The html to use for a particular object edit field.  Should be a proc that takes the
              model object, column symbol, type symbol, and request and returns the html to use.
 page_footer :: Override the default footer used for pages
@@ -197,7 +197,7 @@ symbol and request).
 
 Additionally, AutoForme.for accepts a :prefix option that controls where the forms are mounted:
 
-  AutoForm.for(:sinatra, self, :prefix=>'/path/to') do
+  AutoForme.for(:sinatra, self, :prefix=>'/path/to') do
     model Artist
   end
 
@@ -238,6 +238,66 @@ use AutoForme in Rails development mode.  The best way to handle it is to call
 +AutoForme.for+ in the related controller file, and have an initializer reference
 the controller class, causing the controller file to be loaded.
 
+= Roda
+
+Because Roda uses a routing tree, unlike Rails and Sinatra, with Roda you need to
+dispatch to the autoforme routes at the point in the routing tree where you want
+to mount them.  Additionally, the Roda support offers a Roda plugin for easier
+configuration.
+
+To mount the autoforme routes in the root of the application, you could do:
+
+  class App < Roda
+    plugin :autoforme do
+      model Artist
+    end
+
+    route do
+      # rest of routing tree
+      autoforme
+    end
+  end
+
+To mount the routes in a subpath:
+
+  class App < Roda
+    plugin :autoforme do
+      model Artist
+    end
+
+    route do
+      r.on "admin" do
+        autoforme
+      end
+
+      # rest of routing tree
+    end
+  end
+
+To handle multiple autoforme configurations, mounted at different subpaths:
+
+  class App < Roda
+    plugin :autoforme
+
+    autoforme(name: 'artists')
+      model Artist
+    end
+    autoforme(name: 'albums')
+      model Album
+    end
+
+    route do
+      r.on "artists" do
+        autoforme('artists')
+      end
+      r.on "albums" do
+        autoforme('albums')
+      end
+
+      # rest of routing tree
+    end
+  end
+
 = TODO
 
 * capybara-webkit tests for ajax behavior

data/lib/autoforme/action.rb

@@ -87,7 +87,7 @@ module AutoForme
       else
         return false unless model.supported_action?(normalized_type, request)
 
-        if title = TITLE_MAP[type]
+        if title = TITLE_MAP[@normalized_type]
           @title = "#{model.class_name} - #{title}"
         end
       end
@@ -225,11 +225,11 @@ module AutoForme
     end
 
     # Options to use for the form.  If the form uses POST, automatically adds the CSRF token.
-    def form_opts
+    def form_opts(action=nil)
       opts = model.form_options_for(type, request).dup
       hidden_tags = opts[:hidden_tags] = []
-      if csrf = request.csrf_token_hash
-        hidden_tags << lambda{|tag| csrf if tag.attr[:method].to_s.upcase == 'POST'}
+      if csrf = request.csrf_token_hash(action)
+        hidden_tags << lambda{|tag| csrf if (tag.attr[:method] || tag.attr['method']).to_s.upcase == 'POST'}
       end
       opts
     end
@@ -243,7 +243,8 @@ module AutoForme
     # HTML content used for the new action
     def new_page(obj, opts={})
       page do
-        Forme.form(obj, form_attributes(:action=>url_for("create")), form_opts) do |f|
+        form_attr = form_attributes(:action=>url_for("create"))
+        Forme.form(obj, form_attr, form_opts(form_attr[:action])) do |f|
           model.columns_for(:new, request).each do |column|
             col_opts = column_options_for(:new, request, obj, column)
             if html = model.edit_html_for(obj, column, :new, request)
@@ -318,7 +319,8 @@ module AutoForme
           end.to_s
         end
         if type == :delete
-          t << Forme.form(form_attributes(:action=>url_for("destroy/#{model.primary_key_value(obj)}"), :method=>:post), form_opts) do |f1|
+          form_attr = form_attributes(:action=>url_for("destroy/#{model.primary_key_value(obj)}"), :method=>:post)
+          t << Forme.form(form_attr, form_opts(form_attr[:action])) do |f1|
             f1.button(:value=>'Delete', :class=>'btn btn-danger')
           end.to_s
         else
@@ -341,7 +343,8 @@ module AutoForme
     def edit_page(obj)
       page do
         t = String.new
-        t << Forme.form(obj, form_attributes(:action=>url_for("update/#{model.primary_key_value(obj)}")), form_opts) do |f|
+        form_attr = form_attributes(:action=>url_for("update/#{model.primary_key_value(obj)}"))
+        t << Forme.form(obj, form_attr, form_opts(form_attr[:action])) do |f|
           model.columns_for(:edit, request).each do |column|
             col_opts = column_options_for(:edit, request, obj, column)
             if html = model.edit_html_for(obj, column, :edit, request)
@@ -479,7 +482,8 @@ module AutoForme
           page do
             t = String.new
             t << "<h2>Edit #{humanize(assoc)} for #{h model.object_display_name(type, request, obj)}</h2>"
-            t << Forme.form(obj, form_attributes(:action=>url_for("mtm_update/#{model.primary_key_value(obj)}?association=#{assoc}")), form_opts) do |f|
+            form_attr = form_attributes(:action=>url_for("mtm_update/#{model.primary_key_value(obj)}?association=#{assoc}"))
+            t << Forme.form(obj, form_attr, form_opts(form_attr[:action])) do |f|
               opts = model.column_options_for(:mtm_edit, request, assoc)
               add_opts = opts[:add] ? opts.merge(opts.delete(:add)) : opts
               remove_opts = opts[:remove] ? opts.merge(opts.delete(:remove)) : opts
@@ -487,9 +491,9 @@ module AutoForme
               if model.association_autocomplete?(assoc, request)
                 f.input(assoc, {:type=>'text', :class=>'autoforme_autocomplete', :attr=>{'data-type'=>'association', 'data-column'=>assoc, 'data-exclude'=>model.primary_key_value(obj)}, :value=>''}.merge(add_opts))
               else
-                f.input(assoc, {:dataset=>model.unassociated_mtm_objects(request, assoc, obj)}.merge(add_opts))
+                f.input(assoc, {:dataset=>model.unassociated_mtm_objects(request, assoc, obj), :size=>10}.merge(add_opts))
               end
-              f.input(assoc, {:name=>'remove[]', :id=>'remove', :label=>'Disassociate From', :dataset=>model.associated_mtm_objects(request, assoc, obj), :value=>[]}.merge(remove_opts))
+              f.input(assoc, {:name=>'remove[]', :id=>'remove', :label=>'Disassociate From', :dataset=>model.associated_mtm_objects(request, assoc, obj), :value=>[], :size=>10}.merge(remove_opts))
               f.button(:value=>'Update', :class=>'btn btn-primary')
             end.to_s
           end
@@ -622,13 +626,13 @@ module AutoForme
     # page.
     def association_link(mc, assoc_obj)
       if mc
-        t = mc.object_display_name(:association, request, assoc_obj)
+        t = h(mc.object_display_name(:association, request, assoc_obj))
         if mc.supported_action?(type, request)
           t = "<a href=\"#{base_url_for("#{mc.link}/#{type}/#{mc.primary_key_value(assoc_obj)}")}\">#{t}</a>"
         end
         t
       else
-        model.default_object_display_name(assoc_obj)
+        h(model.default_object_display_name(assoc_obj))
       end
     end
 
@@ -641,7 +645,7 @@ module AutoForme
       t << "<div class='inline_mtm_add_associations'>"
       assocs.each do |assoc|
         form_attr = form_attributes(:action=>url_for("mtm_update/#{model.primary_key_value(obj)}?association=#{assoc}&redir=edit"), :class => 'mtm_add_associations', 'data-remove' => "##{assoc}_remove_list")
-        t << Forme.form(obj, form_attr, form_opts) do |f|
+        t << Forme.form(obj, form_attr, form_opts(form_attr[:action])) do |f|
           opts = model.column_options_for(:mtm_edit, request, assoc)
           add_opts = opts[:add] ? opts.merge(opts.delete(:add)) : opts.dup
           add_opts = {:name=>'add[]', :id=>"add_#{assoc}"}.merge(add_opts)
@@ -674,7 +678,7 @@ module AutoForme
       t << "<li>"
       t << association_link(mc, assoc_obj)
       form_attr = form_attributes(:action=>url_for("mtm_update/#{model.primary_key_value(obj)}?association=#{assoc}&remove%5b%5d=#{model.primary_key_value(assoc_obj)}&redir=edit"), :method=>'post', :class => 'mtm_remove_associations', 'data-add'=>"#add_#{assoc}")
-      t << Forme.form(form_attr, form_opts) do |f|
+      t << Forme.form(form_attr, form_opts(form_attr[:action])) do |f|
         f.button(:value=>'Remove', :class=>'btn btn-xs btn-danger')
       end.to_s
       t << "</li>"

data/lib/autoforme/frameworks/rails.rb

@@ -29,7 +29,7 @@ module AutoForme
         end
         
         # Use Rails's form_authenticity_token for CSRF protection.
-        def csrf_token_hash
+        def csrf_token_hash(action=nil)
           vc = @controller.view_context
           {vc.request_forgery_protection_token.to_s=>vc.form_authenticity_token} if vc.protect_against_forgery?
         end

data/lib/autoforme/frameworks/roda.rb

@@ -37,9 +37,39 @@ module AutoForme
           @env['HTTP_X_REQUESTED_WITH'] =~ /XMLHttpRequest/i
         end
         
+        # Set the flash at notice level when redirecting, so it shows
+        # up on the redirected page.
+        def set_flash_notice(message)
+          @controller.flash[flash_symbol_keys? ? :notice : 'notice'] = message
+        end
+
+        # Set the current flash at error level, used when displaying
+        # pages when there is an error.
+        def set_flash_now_error(message)
+          @controller.flash.now[flash_symbol_keys? ? :error : 'error'] = message
+        end
+
         # Use Rack::Csrf for csrf protection if it is defined.
-        def csrf_token_hash
-          {::Rack::Csrf.field=>::Rack::Csrf.token(@env)} if defined?(::Rack::Csrf)
+        def csrf_token_hash(action=nil)
+          if @controller.respond_to?(:check_csrf!)
+            # Using route_csrf plugin
+            # :nocov:
+            token = if @controller.use_request_specific_csrf_tokens?
+              @controller.csrf_token(@controller.csrf_path(action))
+            else
+              @controller.csrf_token
+            end
+            {@controller.csrf_field=>token}
+            # :nocov:
+          elsif defined?(::Rack::Csrf)
+            {::Rack::Csrf.field=>::Rack::Csrf.token(@env)}
+          end
+        end
+
+        private
+
+        def flash_symbol_keys?
+          !@controller.opts[:sessions_convert_symbols]
         end
       end
 

data/lib/autoforme/frameworks/sinatra.rb

@@ -29,7 +29,7 @@ module AutoForme
         end
         
         # Use Rack::Csrf for csrf protection if it is defined.
-        def csrf_token_hash
+        def csrf_token_hash(action=nil)
           {::Rack::Csrf.field=>::Rack::Csrf.token(@env)} if defined?(::Rack::Csrf)
         end
       end

data/lib/autoforme/model.rb

@@ -389,7 +389,7 @@ module AutoForme
     
     def normalize_mtm_associations(assocs)
       if assocs == :all
-        mtm_association_names
+        editable_mtm_association_names
       else
         Array(assocs)
       end

data/lib/autoforme/models/sequel.rb

@@ -98,14 +98,26 @@ module AutoForme
         ref[:keys].zip(ref[:primary_keys].map{|k| obj.send(k)})
       end
 
+      # Array of many to many association name strings for editable
+      # many to many associations.
+      def editable_mtm_association_names
+        association_names([:many_to_many]) do |r|
+          model.method_defined?(r.add_method) && model.method_defined?(r.remove_method)
+        end
+      end
+
       # Array of many to many association name strings.
       def mtm_association_names
         association_names([:many_to_many])
       end
 
-      # Array of association name strings for given association types
+      # Array of association name strings for given association types. If a block is
+      # given, only include associations where the block returns truthy.
       def association_names(types=SUPPORTED_ASSOCIATION_TYPES)
-        model.all_association_reflections.select{|r| types.include?(r[:type])}.map{|r| r[:name]}.sort_by(&:to_s)
+        model.all_association_reflections.
+          select{|r| types.include?(r[:type]) && (!block_given? || yield(r))}.
+          map{|r| r[:name]}.
+          sort_by(&:to_s)
       end
 
       # Save the object, returning the object if successful, or nil if not.
@@ -158,7 +170,7 @@ module AutoForme
         params = request.params
         ds = apply_associated_eager(:search, request, all_dataset_for(type, request))
         columns_for(:search_form, request).each do |c|
-          if (v = params[c.to_s]) && !v.empty?
+          if (v = params[c.to_s]) && !(v = v.to_s).empty?
             if association?(c)
               ref = model.association_reflection(c)
               ads = ref.associated_dataset
@@ -168,9 +180,16 @@ module AutoForme
               primary_key = S.qualify(ref.associated_class.table_name, ref.primary_key)
               ds = ds.where(S.qualify(model.table_name, ref[:key])=>ads.where(primary_key=>v).select(primary_key))
             elsif column_type(c) == :string
-              ds = ds.where(S.ilike(S.qualify(model.table_name, c), "%#{ds.escape_like(v.to_s)}%"))
+              ds = ds.where(S.ilike(S.qualify(model.table_name, c), "%#{ds.escape_like(v)}%"))
             else
-              ds = ds.where(S.qualify(model.table_name, c)=>model.db.typecast_value(column_type(c), v))
+              begin
+                typecasted_value = model.db.typecast_value(column_type(c), v)
+              rescue S::InvalidValue
+                ds = ds.where(false)
+                break
+              else
+                ds = ds.where(S.qualify(model.table_name, c)=>typecasted_value)
+              end
             end
           end
         end
@@ -293,7 +312,11 @@ module AutoForme
               ids.each do |id|
                 next if id.to_s.empty?
                 ret = assoc_class ? assoc_class.with_pk(:association, request, id) : obj.send(:_apply_association_options, ref, ref.associated_class.dataset.clone).with_pk!(id)
-                obj.send(meth, ret)
+                begin
+                  model.db.transaction(:savepoint=>true){obj.send(meth, ret)}
+                rescue S::UniqueConstraintViolation
+                  # Already added, safe to ignore
+                end
               end
             end
           end

data/lib/autoforme/version.rb

@@ -1,8 +1,22 @@
 # frozen-string-literal: true
 
 module AutoForme
+  # The major version of AutoForme, updated only for major changes that are
+  # likely to require modification to apps using AutoForme.
+  MAJOR = 1
+
+  # The minor version of AutoForme, updated for new feature releases of AutoForme.
+  MINOR = 10
+
+  # The patch version of AutoForme, updated only for bug fixes from the last
+  # feature release.
+  TINY = 0
+
   # Version constant, use <tt>AutoForme.version</tt> instead.
-  VERSION = '1.7.0'.freeze
+  VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze
+
+  # The full version of AutoForme as a number (1.8.0 => 10800)
+  VERSION_NUMBER = MAJOR*10000 + MINOR*100 + TINY
 
   # Returns the version as a frozen string (e.g. '0.1.0')
   def self.version

data/spec/associations_spec.rb

@@ -51,6 +51,50 @@ describe AutoForme do
     page.all('td').map{|s| s.text}.must_equal ["Album1b", "Artist2", "Show", "Edit", "Delete"]
   end
 
+  it "should escape display names in association links" do
+    app_setup do
+      model Artist
+      model Album do
+        columns [:name, :artist]
+      end
+      association_links :all
+    end
+
+    visit("/Artist/new")
+    fill_in 'Name', :with=>'Art&"ist2'
+    click_button 'Create'
+
+    visit("/Album/new")
+    fill_in 'Name', :with=>'Album1'
+    select 'Art&"ist2'
+    click_button 'Create'
+
+    click_link 'Edit'
+    select 'Album1'
+    click_button 'Edit'
+    page.html.must_match(%r{- <a href="/Artist/edit/\d+">Art&amp;&quot;ist2})
+  end
+
+  it "should escape display names in association links" do
+    app_setup do
+      model Album do
+        columns [:name, :artist]
+      end
+      association_links :all
+    end
+
+    Artist.create(:name=>'Art&"ist2')
+    visit("/Album/new")
+    fill_in 'Name', :with=>'Album1'
+    select 'Art&"ist2'
+    click_button 'Create'
+
+    click_link 'Edit'
+    select 'Album1'
+    click_button 'Edit'
+    page.html.must_include("- Art&amp;&quot;ist2")
+  end
+
   it "should use text boxes for associated objects on new/edit/search forms if associated model uses autocompleting" do
     app_setup do
       model Artist do

data/spec/basic_spec.rb

@@ -573,7 +573,7 @@ describe AutoForme do
     page.all('td').map{|s| s.text}.must_equal []
   end
 
-  it "should correct handle validation errors" do
+  it "should correctly handle validation errors" do
     app_setup(Artist)
     Artist.send(:define_method, :validate) do
       errors.add(:name, "bad name") if name == 'Foo'
@@ -583,6 +583,7 @@ describe AutoForme do
     page.title.must_equal 'Artist - New'
     fill_in 'Name', :with=>'Foo'
     click_button 'Create'
+    page.title.must_equal 'Artist - New'
     page.html.must_include 'Error Creating Artist'
     page.html.must_include 'bad name'
     fill_in 'Name', :with=>'TestArtistNew'
@@ -597,6 +598,7 @@ describe AutoForme do
     click_button 'Edit'
     fill_in 'Name', :with=>'Foo'
     click_button 'Update'
+    page.title.must_equal 'Artist - Edit'
     page.html.must_include 'Error Updating Artist'
     page.html.must_include 'bad name'
     fill_in 'Name', :with=>'TestArtistUpdate'
@@ -952,19 +954,29 @@ describe AutoForme do
   after(:all) do
     Object.send(:remove_const, :Artist)
   end
-
-  it "should display decimals in float format in tables" do
+  before do
     app_setup(Artist)
     visit("/Artist/new")
     page.title.must_equal 'Artist - New'
     fill_in 'Num', :with=>'1.01'
     click_button 'Create'
+    visit("/Artist/browse")
+  end
+
+  it "should display decimals in float format in tables" do
     click_link 'Artist'
     page.all('tr td:first-child').map{|s| s.text}.must_equal %w'1.01'
     click_link 'Search'
     click_button 'Search'
     page.all('tr td:first-child').map{|s| s.text}.must_equal %w'1.01'
   end
+
+  it "should treat invalid search fields as returning no results" do
+    click_link 'Search'
+    fill_in 'Num', :with=>'3/3/2020'
+    click_button 'Search'
+    page.all('tr td:first-child').map{|s| s.text}.must_equal []
+  end
 end
 
 describe AutoForme do

data/spec/mtm_spec.rb

@@ -507,3 +507,115 @@ describe AutoForme do
     page.all('select')[1].all('option').map{|s| s.text}.must_equal ["Album2", "Album3"]
   end
 end
+
+describe AutoForme do
+  before(:all) do
+    db_setup(:artists=>[[:name, :string]], :albums=>[[:name, :string]], :albums_artists=>proc{column :album_id, :integer, :table=>:albums; column :artist_id, :integer, :table=>:artists; primary_key [:album_id, :artist_id]})
+    model_setup(:Artist=>[:artists, [[:many_to_many, :albums]]], :Album=>[:albums, [[:many_to_many, :artists]]])
+  end
+  after(:all) do
+    Object.send(:remove_const, :Album)
+    Object.send(:remove_const, :Artist)
+  end
+
+  it "should handle unique constraint violation errors when adding associated objects" do
+    app_setup do
+      model Artist do
+        mtm_associations :albums
+      end
+      model Album
+    end
+
+    artist = Artist.create(:name=>'Artist1')
+    album = Album.create(:name=>'Album1')
+
+    visit("/Artist/mtm_edit")
+    page.title.must_equal 'Artist - Many To Many Edit'
+    select("Artist1")
+    click_button "Edit"
+
+    find('h2').text.must_equal 'Edit Albums for Artist1'
+    page.all('select')[0].all('option').map{|s| s.text}.must_equal ["Album1"]
+    page.all('select')[1].all('option').map{|s| s.text}.must_equal []
+    select("Album1", :from=>"Associate With")
+    artist.add_album(album)
+    click_button "Update"
+    page.html.must_include 'Updated albums association for Artist'
+    Artist.first.albums.map{|x| x.name}.must_equal %w'Album1'
+  end
+
+  it "should handle unique constraint violation errors when adding associated objects" do
+    app_setup do
+      model Artist do
+        mtm_associations :albums
+      end
+      model Album
+    end
+
+    artist = Artist.create(:name=>'Artist1')
+    album = Album.create(:name=>'Album1')
+    artist.add_album(album)
+
+    visit("/Artist/mtm_edit")
+    page.title.must_equal 'Artist - Many To Many Edit'
+    select("Artist1")
+    click_button "Edit"
+
+    find('h2').text.must_equal 'Edit Albums for Artist1'
+    page.all('select')[0].all('option').map{|s| s.text}.must_equal []
+    page.all('select')[1].all('option').map{|s| s.text}.must_equal ["Album1"]
+    select("Album1", :from=>"Disassociate From")
+    artist.remove_album(album)
+    click_button "Update"
+    page.html.must_include 'Updated albums association for Artist'
+    Artist.first.albums.map{|x| x.name}.must_equal []
+  end
+end
+
+describe AutoForme do
+  before(:all) do
+    db_setup(:artists=>[[:name, :string]], :albums=>[[:name, :string]], :albums_artists=>[[:album_id, :integer, {:table=>:albums}], [:artist_id, :integer, {:table=>:artists}]])
+    model_setup(:Artist=>[:artists, [[:many_to_many, :albums, :read_only=>true]]], :Album=>[:albums, [[:many_to_many, :artists, :read_only=>true]]])
+  end
+  after(:all) do
+    Object.send(:remove_const, :Album)
+    Object.send(:remove_const, :Artist)
+  end
+
+  it "should not automatically setup mtm support for read-only associations" do
+    app_setup do
+      model Artist do
+        mtm_associations :all
+        association_links :all
+      end
+      model Album do
+        mtm_associations :all
+        association_links :all
+      end
+    end
+
+    visit("/Artist/new")
+    page.html.wont_include 'MTM'
+    fill_in 'Name', :with=>'Artist1'
+    click_button 'Create'
+    click_link 'Edit'
+    select 'Artist1'
+    click_button 'Edit'
+    page.html.must_include 'Albums'
+    page.html.wont_include '>associate<'
+    visit("/Artist/mtm_edit")
+    page.html.must_include 'Unhandled Request'
+
+    visit("/Album/new")
+    page.html.wont_include 'MTM'
+    fill_in 'Name', :with=>'Album1'
+    click_button 'Create'
+    click_link 'Edit'
+    select 'Album1'
+    click_button 'Edit'
+    page.html.must_include 'Artists'
+    page.html.wont_include '>associate<'
+    visit("/Album/mtm_edit")
+    page.html.must_include 'Unhandled Request'
+  end
+end

data/spec/rails_spec_helper.rb

@@ -1,10 +1,19 @@
 require 'rubygems'
+require 'rails'
 require 'action_controller/railtie'
 require 'autoforme'
 
 class AutoFormeSpec::App
+  class << self
+    # Workaround for action_view railtie deleting the finalizer
+    attr_accessor :av_finalizer
+  end
+
   def self.autoforme(klass=nil, opts={}, &block)
     sc = Class.new(Rails::Application)
+    def sc.name
+      "AutoForme Test"
+    end
     framework = nil
     sc.class_eval do
       controller = Class.new(ActionController::Base)
@@ -13,7 +22,7 @@ class AutoFormeSpec::App
       resolver = Class.new(ActionView::Resolver)
       resolver.class_eval do
         template = ActionView::Template
-        t = [template.new(<<HTML, "layout", template.handler_for_extension(:erb), {:virtual_path=>'layout', :format=>'erb', :updated_at=>Time.now})]
+        code = (<<HTML)
 <!DOCTYPE html>
 <html>
 <head><title><%= @autoforme_action.title if @autoforme_action %></title></head>
@@ -27,6 +36,11 @@ class AutoFormeSpec::App
 <%= yield %>
 </body></html>"
 HTML
+        if Rails.version > '6'
+          t = [template.new(code, "layout", template.handler_for_extension(:erb), :virtual_path=>'layout', :format=>'erb', :locals=>[])]
+        else
+          t = [template.new(code, "layout", template.handler_for_extension(:erb), :virtual_path=>'layout', :format=>'erb', :updated_at=>Time.now)]
+        end
 
         define_method(:find_templates){|*args| t}
       end
@@ -50,14 +64,27 @@ HTML
         end
       end
 
-      config.secret_token = routes.append do
+      st = routes.append do
         get 'session/set', :controller=>'autoforme', :action=>'session_set'
       end.inspect
+      config.secret_token = st if Rails.respond_to?(:version) && Rails.version < '5.2'
+      config.hosts << "www.example.com" if config.respond_to?(:hosts)
       config.active_support.deprecation = :stderr
       config.middleware.delete(ActionDispatch::ShowExceptions)
       config.middleware.delete(Rack::Lock)
-      config.secret_key_base = 'foo'
+      config.secret_key_base = st*15
       config.eager_load = true
+      if Rails.version.start_with?('4')
+        # Work around issue in backported openssl environments where
+        # secret is 64 bytes intead of 32 bytes
+        require 'active_support/message_encryptor'
+        ActiveSupport::MessageEncryptor.send :prepend, Module.new {
+          def initialize(secret, *signature_key_or_options)
+            secret = secret[0, 32]
+            super
+          end
+        }
+      end
       if Rails.version > '4.2'
         config.action_dispatch.cookies_serializer = :json
       end
@@ -66,6 +93,14 @@ HTML
         ActionDispatch::Routing::RouteSet::Dispatcher.class_eval do
           define_method(:controller){|_| controller}
         end
+        config.session_store :cookie_store, :key=>'_autoforme_test_session'
+      end
+      if Rails.version > '6'
+        if AutoFormeSpec::App.av_finalizer
+          config.action_view.finalize_compiled_template_methods = AutoFormeSpec::App.av_finalizer
+        else
+          AutoFormeSpec::App.av_finalizer = config.action_view.finalize_compiled_template_methods
+        end
       end
       initialize!
     end

data/spec/roda_spec_helper.rb

@@ -4,8 +4,7 @@ require 'autoforme'
 require 'rack/csrf'
 
 begin
-  require 'erubis'
-  require 'tilt/erubis'
+  require 'tilt/erubi'
 rescue LoadError
   require 'tilt/erb'
 end
@@ -14,31 +13,49 @@ class AutoFormeSpec::App < Roda
   opts[:unsupported_block_result] = :raise
   opts[:unsupported_matcher] = :raise
   opts[:verbatim_string_matcher] = true
+  opts[:check_dynamic_arity] = opts[:check_arity] = :warn
 
   LAYOUT = <<HTML
 <!DOCTYPE html>
 <html>
 <head><title><%= @autoforme_action.title if @autoforme_action %></title></head>
 <body>
-<% if flash[:notice] %>
-  <div class="alert alert-success"><p><%= flash[:notice] %></p></div>
+<% if notice = opts[:sessions_convert_symbols] ? flash['notice'] : flash[:notice] %>
+  <div class="alert alert-success"><p><%= notice %></p></div>
 <% end %>
-<% if flash[:error] %>
-  <div class="alert alert-error"><p><%= flash[:error] %></p></div>
+<% if error = opts[:sessions_convert_symbols] ? flash['error'] : flash[:error] %>
+  <div class="alert alert-error"><p><%= error %></p></div>
 <% end %>
 <%= yield %>
 </body></html>"
 HTML
 
-  use Rack::Session::Cookie, :secret => '1'
-  use Rack::Csrf
+  plugin :flash
+
+  if defined?(Roda::RodaVersionNumber) && Roda::RodaVersionNumber >= 30100
+    if ENV['RODA_ROUTE_CSRF'] == '0'
+      require 'roda/session_middleware'
+      opts[:sessions_convert_symbols] = true
+      use RodaSessionMiddleware, :secret=>SecureRandom.random_bytes(64)
+    else
+      ENV['RODA_ROUTE_CSRF'] ||= '1'
+      plugin :sessions, :secret=>SecureRandom.random_bytes(64)
+    end
+  else
+    use Rack::Session::Cookie, :secret => '1'
+  end
+
+  if ENV['RODA_ROUTE_CSRF'].to_i > 0
+    plugin :route_csrf, :require_request_specific_tokens=>ENV['RODA_ROUTE_CSRF'] == '1'
+  else
+    use Rack::Csrf
+  end
 
   template_opts = {:default_encoding=>nil}
   plugin :render, :layout=>{:inline=>LAYOUT}, :template_opts=>template_opts, :opts=>template_opts
   plugin :not_found do
     'Unhandled Request'
   end
-  plugin :flash
 
   def self.autoforme(klass=nil, opts={}, &block)
     sc = Class.new(self)
@@ -54,6 +71,8 @@ HTML
       end
 
       route do |r|
+        check_csrf! if ENV['RODA_ROUTE_CSRF'].to_i > 0
+
         r.get 'session/set' do
           session.merge!(r.params)
           ''

data/spec/spec_helper.rb

@@ -24,13 +24,15 @@ require "./spec/#{ENV['FRAMEWORK']}_spec_helper"
 require 'capybara'
 require 'capybara/dsl'
 require 'rack/test'
+
+ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
 gem 'minitest'
-require 'minitest/autorun'
+require 'minitest/global_expectations/autorun'
 require 'minitest/hooks/default'
 
 if ENV['WARNING']
   require 'warning'
-  Warning.ignore([:missing_ivar, :fixnum])
+  Warning.ignore([:missing_ivar, :fixnum, :not_reached])
 end
 
 require './spec/sequel_spec_helper'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: autoforme
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.10.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-27 00:00:00.000000000 Z
+date: 2021-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: forme
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: minitest-global_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
@@ -243,7 +257,12 @@ files:
 homepage: http://github.com/jeremyevans/autoforme
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/jeremyevans/autoforme/issues
+  changelog_uri: http://autoforme.jeremyevans.net/files/CHANGELOG.html
+  documentation_uri: http://autoforme.jeremyevans.net
+  mailing_list_uri: https://github.com/jeremyevans/autoforme/discussions
+  source_code_uri: https://github.com/jeremyevans/autoforme
 post_install_message: 
 rdoc_options:
 - "--quiet"
@@ -266,8 +285,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.2.22
 signing_key: 
 specification_version: 4
 summary: Web Administrative Console for Roda/Sinatra/Rails and Sequel::Model